b'Office of Inspector [,>inera}\n          United States\n  Intematioml T~.-1e. ~ssion\n\n\n\n\n                       Review of the\n                       Commission\'s\n                        Information\n                         Resources\n                       Management\n                          Function\n                                September 29, 2000\n\n\n\n\n                                             Office of I nspect01- General\n                                                  [,\'_5,   Int~rIlGii<JIlal Trade CGH1.m~"\'\'\'\'\'l\n\x0cINSPECTOR GENERAL\n\n\n\n\nUNITED STATES INTERNATIONAL TRADE COMMISSION\n\n                          WASHINGTON, D.C. 20436\n\n  September 29, 2000\n\n  We hereby submit Audit Report No. OIG-AR-O I-00, Rfl\'ifll\' ofthe Commission\'s\n  Information Resources ManagcfJlt,\'m Function, for the Commission\'s\n  implementation of our recommendations.\n\n  The principal product ofthe Commission is information in the form of rulings,\n  determinations, advice, research reports, databases, etc, The Commission\n  relies upon information processes that combine both human and information\n  technology (IT) resources to generate its work products. The design of these\n   processes and the development and allocation of resources for these processes\n   is the responsibility of the Commission\'s Information Resource Management\n   (IRM) function.\n\n  The Clinger-Cohen Act of 1996 was designed to improve IRM in federal\n  agencies. Among the Act\'s most important provisions are:\n\n   \xe2\x80\xa2     Agencies shall deSign and implement a process for maximizing the\n         value and assessing and managing the risks of IT acquisitions,\n\n   \xe2\x80\xa2     Agencies shall establish goals for improving agency operations and\n         delivery of services to the public through the effective use of IT.\n\n   \xe2\x80\xa2     Agencies shall ensure that performance measurements are prescribed\n         for IT used by or to be acquired by the agency.\n\n   \xe2\x80\xa2      Agencies shall analyze their missions and, based on this analysis, revise\n          agency mission-related and administrative processes as appropriate\n          before making significant investments in IT that supports those\n          processes.\n\n   \xe2\x80\xa2      Agencies shall appoint a Chief Information Officer (CIO) who will\n          advise and assist the agency head and other senior management\n          officials on acquisition of IT and the management of information\n          resources (IR) and who will promote the effective and efficient design\n          of the agency IRM processes.                    .\n\x0cThe purpose of our audit was to evaluate the Commission\'s current IRM\nfunction and to recommend changes and improvements consistent with the\nClinger-Cohen Act. We found, as did a 1987 U,S, Ceneral Accounting Office\naudit, that the Commission\'s IRM function was highly fragmentcd. Our\nprimary recommendation is that the Commission appoint a CIa and assign\nsufficient responsibilities and resources to this position so that the CIa can\nprovide uniflcd direction to the Commission\'s IRM.\n\nWe also found shortcomings in the Commission\'s efforts to align information\nresources and slrategic objectives. To address these shortcomings we made\nrecommendations for strengthening the Information Resources Management\nSteering Committee (IRMSC) and updating the IRM Strategic Plan. We also\nmade recommendations for improving the- management of the Commission\'s\nIRM personnel and improving information security planning.\n\nBecause the Commission\'s work is so information intensive, its main avenue\nfor improvement in its products and services is through improving its JR. The\nrecommendations we have made will provide the procedural framework for\nsuch improvement. We recognize that a significant capital investment is\nnecessary to implement our primary recommendation. However. this\ninvestment could reap many benefits in the immediate future for the\nCommission.\n\nA draft of this report was submitted for comment to the Chairman and\nCommissioners on February 14, 2000, with courtesy copies to Office\nDirectors. In response, the Chairman agreed to the establishment of a Cf O\noffice, contingent on the availability of resources. On September 25, 2000,\nthe Chairman approved a plan to implement the recommendations contained\nin this report. The approved plan is attached as Appendix VI.\n\n\n\n\n                                                    Dev Jagadesan\n                                                    Acting Inspector General\n\x0c                                               OIG-AR-OI-OO\n\n\n\n\n    Audit Report No. OIG-AR-OI-OO\n\nReview of the Commission\'s Information\n    Resources Management Function\n\n         September 29,2000\n\n\n\n\n                           Office of I nspeetor General\n                                1.I$_ IIII~m\'lfi.:m<J; Tr<,dt C"IJW:lj,;",o)"\n\x0c\x0c                                                                                                         OIG-AR-OI-OO\n\n\n\n                                         TABLE OF CONTENTS\n\n                                                                                                                             Page\n\nI.     Introduction\n\nII. Objectives                       .\n\nIII. Methodology and Scope                                                                                              .\n\nIV. Background                                                      .          .                                                    2\n\n          A. The Clinger-Cohen Act                                                                                                 2\n          B. Evolution of the Commission\'s IRM Organization and Process                                                            3\n\nV.        Commission\'s Current Organization                                                                                        4\n\nVI.       Commission\'s Investments for Information Resources ........................ 6\n\nVI!.      Findings and Recommendations            .......................................                                           7\n\n          A. Designation of a Chief Information Officer. . . . . . . . . . . . . . . . . . . . .                                    7\n          B. Need for Organizational Change. . . . . . . . . . . ..                                                                 8\n          C. The Commission\'s IRl\\\xc2\xb71 Process                        .                                                             12\n          D. Personnel Assessment                                                                                                 13\n          E. Security Plan                                                                                                        14\n\nVIII. Summary of Recommendations                     . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 16\n\nAppendix I . Methodology and Scope                                                                 ............. I-I\n\nAppendix II - Summary of IRM Provisions of the Clinger-Cohen Act                                                               II-I\n\nAppendix III - Summary of IRM Provisions of the Paperwork Reduction Act                                                       III-I\n\nAppendix IV - Functions and Responsibilities of IRM Offices\nand the IRMSC                                                                                                                 IV-l\n\nAppendix V - History of Changes in the Commission\'s Organizations for IRM\nsince 1989 . . . . . . . . . . . . . . . . . . . .. . . . . . . . .                                                           V- I\n\nAppendix VI - Memorandum from the Chairman (CO-74-X-OI5)                                                                      VI-I\n\n\n                                                                                    Office of Inspector Geneml\n                                                                                            UcS. IlItCr>lr:J6\'OrH::1 Tmk C:nmni,;;sion\n\x0c\x0c                                                                                      OIG-AR-OI-00\n\n\n\n             REVIEW OF THE COMMISSION\'S\n         INFORMATION RESOURCES MANAGEMENT\n                     FUNCTION\nI.     INTRODUCTION\n\nThe Clinger-Cohen Act of 1996 (Act) and the amendments by the Act to the Paperwork\nReduction Act of 1995 (PRA) are based on best practices used by leading public and private\norganizations to more effectively manage Information Technology (IT).\n\nThe Act requires Executive Agencies to design and implement processes that maximize the value\nof IT acquisitions while managing the risks of those acquisitions. The intent of the Act is the\nintegration of IT decisions with the processes for making budget, financial, and program\nmanagement decisions, thus explicitly recognizing and elevating the importance of IT. Thus,\nagencies must analyze mission-related and administrative processes, revising them as appropriate.\nAdditionally, processes should be bench marked against comparable processes of public or private\nsector organizations.\n\nAs used in this report, the term, Information Resources Management (IRM), refers to the process\nof managing information resources to accomplish the mission of the International Trade\nCommission (Commission). Information Resources (lR) include information itself, as well as\nrelated resources such as personnel, equipment, funds, and IT. IT is a subset of IR and refers to\nthe hardware and software operated by the Commission to accomplish particular functions,\nregardless of the technology involved (e.g. computers, telecommunications, etc.).\n\nII.    OBJECTIVES\n\nThe objectives of this audit are to: (I) determine what changes, if any, should be made to the\nCommission\'s IRM function to conform to guidance in the Act, and (2) review the Commission\'s\ncurrent organization and processes for IRM and determine what improvements, if any, should\nbe made.\n\nIII.   METHODOLOGY AND SCOPE\n\nCotton & Company, LiP, was retained by the Office of Inspector General, to review the\nCommission\'s 1M! function, with emphasis on the Commission\'s progress toward implementing\nthe Act. When performing our work, we considered the Commission\'s size and the benefits of\nmaintaining the current level of operating efficiency with future costs that may result from our\nrecommendations. Our recommendations are intended to maintain the present level of efficiency\nin the Commission\'s use of personnel resources within the requirements of the Act and relevant\nregulations. Additional detail regarding the methodology and scope is contained in Appendix r.\n\n\n                                                                   Office of Inspector General\n                                                                         [~S. ;"t>?",u.tio"aJ7,,",1, CVmmi5Iii<:>\'1\n\x0c                                                                                        OIG-AR-OI-OO\n\n\nIV.    BACKGROUND\n                                                     "Under the Clinger-Cohen Act,\n       A.      The Clinger-Cohen Act                 decisions about IT investments are\n                                                     based on quantitative and qualitative\nThe Clinger-Cohen Act is the most prominent of      factors associated with costs, benefits,\nall recent IT reform legislation. The Act applies\n                                                     and risks of those investments. "\nto all executive agencies. In addition, the\nconference report (No. 104-450) for the Act\nprovides that government entities that do not expressly fall under the Act should comply to the\nextent consistent with good government. The Act also amends certain sections of the PRA. A\nsection-by-section summary of the Act and the PRA is provided in Appendices II and Ill,\nrespectively.\n\nThe Act promotes the evaluation and adoption of best management and acquisition practices\nused by both private and public organizations. Additionally, under the Act, decisions about IT\ninvestments are based on quantitative and qualitative factors associated with costs, benefits, and\nrisks of those investments.\n\nPerformance data is used to demonstrate how well IT expenditures support improvements to\nagency programs through measurements such as reduced costs, improved employee productivity.\nand higher customer satisfaction.\n\nThe Act requires the appointment of an executive-level Chief Information Officer (CIO). The\ndesignation of the CIO was accomplished by amendment of the PRA. The PRA previously\nrequired a "senior official." now designated as the CIO, The CIO retains responsibilities defined\nunder the Act. The Act incorporated these changes to elevate the importance of IT management\nwithin federal agencies.\n\nThe Act also streamlines the IT acquisition process by eliminating the General Services\nAdministration\'s central acquisition authority, placing procurement responsibility directly with\nFederal agencies, and encouraging the adoption of smaller. modular IT acquisition projects,\n\nAdditional key elements of the Act are summarized below:\n\n               I.     Establishing processes for selecting and managing IT investments.\n                      The Act provides for agencies to design and implement a process for\n                      maximizing the value and assessing and managing the risks of IT\n                      acquisitions. The Act lists specific elements that agencies must include in\n                      that process and requires integration of the process with those for making\n                      budget, financial, and program management decisions.\n\n               2.     Revising agency processes. Before making significant investments in IT,\n                      agencies must analyze agencv mission-relatcd processes and administrative\n\n                                                                    Office    0/\n                                                                               Inspector General\n                                                2                        us- Iflt~roJLltiotlLlI Trod" Comm,=i,,,,\n\x0c                                                                                   OIG-AR-OI-OO\n\n\n                     processes, revising them as appropriate. Agencies should benchmark their\n                     processes against comparable processes of public or private organizations.\n\n              3.     Assessing information security. Agencies must ensure that information\n                     security policies, procedures, and practices adequately protect resources.\n\n              4.     Assessing agency IRM skills. As part of the Government Performance\n                     and Results Act strategic planning and performance evaluation, agenc<es\n                     are called on to assess:\n\n                     a.      Personnel requirements regarding IRM knowledge and skills.\n                     b.      The extent to which positions and personnel at executive and\n                             management levels in the agency meet those requirements.\n                             Agencies must develop strategies and plans for hiring, training, and\n                             providing professional development to rectify weaknesses found.\n\n       B.     Evolution of the Commission\'s IRM Organization and Process\n\nIn 1987, the U.S. General Accounting Office (GAO) conducted an audit of the overall operations\nof the Commission. In lebruary 1987, the GAO issued a report entitled "Observations on the\nOperations of the International Trade Commission." Appendix 1Il of that report dealt with the\nCommission\'s IRl\\1 activities.\n\nThe GAO report made two principal observations relating to lRM: (l) the Commission\'s\norganization and management approach for IRM is fragmented, and (2) the Commission\'s\nplanning process for IRM is inadequate. Following are pertinent excerpts from the GAO report:\n\n       We observed that lTC\'s organizational and management structure for information\n       resources is fragmented. The planning process has not been sufficient to provide\n       the information needed for the systematic acquisition and use of information\n       resources. Comprehensive analyses required by federal regulations have not been\n       performed and documented.\n\n       The Paperwork Reduction Act requires that a senior official, reporting directly to\n       the agency head, be accountable and responsible for all of the agency\'s IRM\n       activities and functions. However, the lTC\'s designated senior official is not\n       involved in many of these activities and functions.\n\n\n\n\n                                                                   Office   0   Inspector General\n                                               3                        [r.S.I\'lfum\'ltimJu Tru \xc2\xab Commission\n\x0c                                                                                        OIG-AR-O 1-00\n\n\n\n       Although the Director of Operations is lTC\'s designated senior official for\n       information resources, he does not have the authority or responsibility for\n       planning, directing, and controlling all JRM activities as prescribed in the PRA\n       and implementing regulations. JRM responsibilities at ITC are dispersed among\n       various program and administrative offices, a planning committee, and the\n       Director of Operations. Each program and administrative office independently\n       identifies information resource needs without direction from an approved Agency-\n       wide IRM plan.\n\n       JTC has not developed an overall JRM plan and has not established any policy or\n       issued guidelines to implement a comprehensive planning process.\n\nIn order to address GAO concerns about "fragmented" organizational and management structure\nfor JR, the Commission engaged Arthur Andersen & Company (Arthur Andersen), at a cost of\n$127,000, to review the Commission\'s organization for IRM. In its final report of [ulv 1988,\nArthur Andersen recommended a reorganization which would establish a separate Office of\nInformation Technology Planning, headed by a CIO, and move the Office of Data Systems from\nthe Office of Operations to the Office of Administration. The Commission did not accept the\nrecommendation for establishing a separate IT planning office. However, the Commission did\naccept the recommendation for relocating the Office of Data Systems. The Commission also\ncontracted, at a cost of $ J ,400, with the GSA\'s FederallRM Planning Support Center (FIPSC)\nto review the proposed move. In a report dated August 14, 1989, the FIPSC indicated its\nagreement with the proposed establishment of an Office of Information Resources Management\n(OIRM) under the Director of Administration.\n\nSince 1989, the Commission\'s organization for IRM has undergone numerous changes. These\nchanges are detailed at Appendix V. The end result of these changes is that the Commission now\nhas essentially the same organization for IRM that it had before the GAO audit, In Section VII,\nwe take note of the continuing nature of the conditions initially observed by the GAO and offer\nappropriate recommendations to address these conditions.\n\nV.     COMMISSION\'S CURRENT ORGANIZATION\n\nThere are four offices, the Office of Operations, the Office of Administration, the Office of\nInformation Services (OrS), and the Office of Publishing, that currently have the principal\nresponsibility for IRM within the Commission.\' The organizational relationship between these\noffices is shown in Figure I on the next page. The Director of the Office of Operations is\ncurrently designated as the Commission\'s senior official for IRM and Chairman of the\n\n\n\n\n       \'Until recently, the Office of Fiuancc and Budget (OfB) was also involved in the JRM process\nto the extent that it was responsible for managing the formulation, justification, presentation and\nexecution of the Commission\'s budget. However, on May 10, 2000, OFB was abolished,\nFinance/accounting responsibilities were assigned to a new Office of Finance, and budgeting\nresponsibilities were assigned to the Director, Administration.\n                                                                     Office   0   Inspector Genom!\n                                                4                         L~S_ IJlt~rllc!ti()!tcl   rei   ~   C<)mmiosioll\n\x0c                                                                                          OIG-AR-O 1-00\n\n\nInformation Resources Management Steering Committee (IRMSC)\'. The Director of\nAdministration is responsible for all Commission procurement, including IT procurement. O[S\nhas the major responsibility for planning, management and operation of the Commission\'s non-\npublishing-related IT resources. The Office of Publishing is responsible for planning, management\nand operation of the Commission\'s IT resources for document preparation and publication. A\nmore detailed description of the functions and responsibilit ies of these offices and the IRM SC\nis provided in Appendix IV.\n\n                                 Figure I - USITC Organization\n                                         U.S.lntl!mrtioll.1 Tr~de\n                                               C...-nm""ion\n\n\n\n\n        \'The IRMSC is composed of the following members: Director, Office of Operations, Director,\nOffice of Administration, Director, OIS, Ceneral Counsel, Secretary, and the Director, Office of External\nRelations, Adm. Order 00-08, dated August 25, 2000.\n\n                                                               5               U.s. !",tem"ti""w ToLl\' CYmmi.>sIQI\'\n\x0c                                                                                             OIG-AR-OI-OO\n\n\nVI.      COMMISSION\'S INVESTMENTS FOR INFORMATION RESOURCES\n\nThe Commission\'s current IT investments include a server-based local area network, an Oracle\ndatabase management system, a modern publishing facility, and audio-visual equipment. Each\nemployee has a desktop computer incorporating general and special purpose software,\n\nIn addition to these investments, the Commission utilizes substantial computing resources owned\nby the U,S. Department of Interior (001) to perform IT functions for personnel, payroll and\naccounting.\n\nThe budget data in Table I reflects the Commission\'s historical and planned IR investments.\n\nTable I . ITC Budget for Information Resources\n                Fiscal      All IR Except New IT       New IT              New IT                 Total\n                Year        (Includes Personnel,       Equipment           Supplies\n                            Contracts & Data           (Hardware)          (Includes\n                            Processing)                                    Software}\n ors              1999                   $4,580,900           $302,100        $82,500               $4,965,500\n\n                  2000                    6,103,700            600,000         [ 20,000                  6,823,700\n\n                  2001                     6070800             785,000         145,000                   7,000,800\n\n Total                                 $16,755,400          $1,687,100       $347,500             $18,790,000\n\n Publishing       1999                   $1,171 ,900          $360,800       $166,700               $1,699,400\n\n                  2000                    1,332,800            180,000        225,000                    1,737,800\n\n                  2001                    I ,332,000           420,000        300,000                    2,052.000\n\n      Total                              $3,836,700           $960,800       $691,700               $5,489,200\n\n\nA flow diagram depicting the Commission\'s current process for selecting and funding IR\ninvestments is provided in Figure 2 on the next page, The role of the IRMSC in this process is\nto insure thatthe Commission\'s IR investments are aligned with the Commission\'s strategic plans\nand objectives. The process shown in Figure 2 applies to IR projects included in the regular\nbudget cycle. Proposed new projects which have not been included in the regular budget cycle\nare submitted to OIS for review. If funding is available, OIS can approve projects of less than\n$25,000. Projects requiring more than $25,000 of funding are forwarded to the llUvlSC for\nreview and recommendation for approval.\' Final approval of such projects is made hy the\nChairman and Commission.\n\n\n        \'According to AO 94\xc2\xb70 I, dated October 12, 1993 the threshold for review is $25,000, however,\nDirectors of Operations, Administration and OIS stated the IR1v1SC currently reviews projects that exceed\na $50,000 threshold.\n                                                                         Office 0/ Inspector General\n                                                   6                           u.s.   [,dcnw;lio..",;   r,.Qd~ Co>nmi$<iioll\n\x0c                                                                                                                       OIG-AR-OI-OO\n\n\n                         Figure 2 - Investment Pr.?cess for Information Resources\n\n\n\n\n        Offic@s P\'.. par ..\n          and S u bmit\n        Budget Requests\n\n\n\n\n        QIS Reviewli IIrid                                            YOS    OFB Pfepa\'"\'\'                  B\'-Idgel\n           prepa re s IT       IRMSC REVIEW   f-_CAF\'F\'F{OVED1               Consolidated                 c ome-tnee\n             BUdSl~1                                                            Budg .. t                   nevrew\n                                                    NO\n\n\n\n\n                                                                                               NO\n                 ~~------------\'\'------                                                              -<APp\'\'-OVe[l1\n\n\n                                                                                                                  YES\n\n\n\n\n                                                                                                     NO\n                                                    Commi~~iol\'l\n                                                         Review\n                                                                       f--+-< APPROVI;:01 > - - - - - - - - - - \'\n                                                                              YES\n\n\n\n\n                                                                                A.ppttlved Budget\n                                                                                  To Congr .......\n\n\n\n\nVII.   FINDINGS AND RECOMMENDATIONS\n\n       A.           Designation of a Chief Information Officer\n\nCurrently the Director of Operations is designated as the senior official responsible for TRM\nunder PRA by AO 93- I5, Appointment of Senior Official for IRM, dated April 2, 1993. AO 93-\n15 rescinded AO 90-08, which had designated the Director of Administration as the senior IRM\nofficial under the PRA.\n\nSection 3506 of the PRA was amended by Section 5125(a) of the Act by striking out "senior\nofficial" and inserting "Chief Information Officer." The amended provisions of the PRA that are\nof most significance to the Commission\'s organization for IRM are the following:\n\n       (a)(2)(A)   the head of each agency shall designate a Chief Information\n       Officer who shall report directly to such agency head to carry out the\n       responsibilities of the agency under this chapter.{emphasis added)\n\n\n\n                                                                                               Office       0    Inspector General\n                                                                  7                                       U,S.IMtemutl<ltJo.l Tru ~ Commj.ssiotJ\n\x0c                                                                                      OIG-AR-OI-OO\n\n\n\n       (c) With respect to the collection of information and the control of paperwork,\n       each agency shall - (I) establish a process within the office headed by the Chief\n       Information Officer designated under subsection (a), that is sufficiently\n       independent of program responsibility to evaluate fairly whether proposed\n       collections of information should be approved underthis chapter, to    (emphasis\n       added).\n\nTo fully comply with this statute, the Commission should appoint a CIO who reports directly\nto the Chairman and who is independent of the Office of Operations.\n\n       We recommend that the Commissi"" establish a separate position designated as the\n\n 1     Commission\'s CTJiejIllji\'rmatillll Officer, reportine directly to the Commission through the\n       Chairman.\n\n        \xe2\x80\xa2       Integrate the CIO [unctum into the Strategic Plan.\n        \xe2\x80\xa2       Designate the C/O as a member ofthe budget committee.\n\n        B.      Need for Organizational Change\n\nThere is a need at the Commission to design and implement a process for maximizing the value\nand assessing and managing the risks of its IT acquisitions. The Commission\'s main product is\ninformation of One kind or another. Given the limitations on human resources available to the\nCommission for the foreseeable future, the Commission must rely on upgrading IT as the\nprincipal means for improving products and services. To do this in a constrained funding\nenvironment, the Commission must have in place an organization and a process that will yield\nthe greatest possible return on IT investment.\n\n              1.      Integrated Management of IR\n\nVVe found, as did the GAO, that the Commission\'s organization and management structure for\nIR are fragmented. IRM responsibilities are currently dispersed among various program offices\n(Operations and 015) and administrative offices (Publishing, Procurement and Finance and\nBudget), the IRMSC, and the Director of Operations. As indicated in Table I, the Commission\'s\nIT cost center responsibilities are split between 015 under the Director of Operations and the\nOffice of Publishing under the Director of Administration. In addition, OFB (see footnote I)\nexpended a large portion of 015 cost center funds on DOl support without significant input or\noversight by OIS. The PRISM procurement system under the Director of Administration is a\nmajor IR system that is not receiving sufficient oversight by 015. Essentially, all the major\nsystems external to the Office of Operations are going their own way without central direction\nand control. That direction has to come from an empowered, centralized office such as the\nrecommended CIO Office.\n\n\n\n                                                                    Office 0/ Inspector General\n                                                8                         lIS_ I"t~matjO>!Q1 TmdO! Commi;;"i(Jn\n\x0c                                                                                         OIG-AR-OI-OO\n\n\n                      a.      Integrated Procurement of IT\n\nThe proccss for procuring IT requires that the following functions be performed: (I) evaluation\nof Commission requirements for IT, (2) development of specifications for hardware/software to\nmeet Commission IT requirements, (3) evaluation of hardware/software proposed to meet\nCommission IT requirements, (4) managing development of new IT solutions or procurement\nof existing IT solutions, and (5) managing installation and integration of hardware/software\nprocured to meet Commission IT requirements. The responsibility for performing these functions\nis currently divided among several offices. There is a need for a single office, such as the\nrecommended cIa office, to provide centralized, intcgrated management of these functions in\norder to efficiently allocate IT procurement funds among competing Commission priorities.\n\n                      b.      Integrated Security Management\n\n01 S has not been able to fulfill the Commission\'s requirements for security planning (see Section\nVfl. E). Placement of the security function in an office with a Commission-wide focus, such as\nthe recommended CIO office, would allow a better and more integrated approach to security\nmanagement for the Commission as a whole.\n\n                      c.      Integrated Management of IR Personnel\n\nThe management of IRM personnel is scattered aCrOSS multiple offices. The various offices that\nhave IRM personnel management responsibilities such as 015, Office of Administration, OrB,\nOfflce of Personnel, and Office of Publishing each have their own management approach. The\ncurrent organizational placement of 015 minimizes its effectiveness in fulfilling its intended role\nof supporting integrated management of all the Commission\'s IRM personnel. The recommended\nCf O office can provide the needed focal point for integrated management of IRM personnel.\n\n               2.      Commission-wide Support.\n\nWe found that OIS is more effectively meeting its responsibilities to the Office of Operations,\nwhile not so effectively meeting other Commlssion-wide responsibilities. By virtue of the\norganizational structure within the Office of Operations , OIS subordinates its Commission-wide\nduties and responsibilities to the priorities of the Office of Operations. For example, a review of\nthe position description(PD) for the Director of 015 indicated that 13 out of 15 duties and\nresponsibilities of the position are Commission-wide in scope. The other two involve the Office\nof Operations. However, the performance evaluation plan for the Director, OIS indicates that\nhis performance would be considered unsatisfactory if "Office of Information Services objectives\nfail to reflect Office of Operations priorities."\n\n                       a.     Rationalizing the Commission\'s Organization for IRM\n\nWe found that the preponderance of 015 responsibilities are Commission-wide in nature. Most\ninformation system functions such as network maintenance, computer maintenance and\n                                                                     Office of Inspector General\n                                                 9                        u.s_ bd"rnub"~l<2) Trad.o COl/jmio;.,;lu>!\n\x0c                                                                                       OIG-AR-OI-OO\n\n\ntelecommunications management provide support for the organization as a whole. OIS manages\nthe Commission network, e-mail services, and help desk which are Commission-wide. OIS is\nresponsible for the Commission\'s IT architecture, computer security plan and computer security\nawareness training. OIS is responsible for the Commission\'s Strategic IRM plan and its update.\nMost, if not all of the resources to perform these Commission-wide functions are concentrated\nin OIS in the Office of Operations. It would be more logical to place these resources and\nfunctions in an office with a Commission-wide orientation, such as the recommended CIO office.\n\n                      b.      Implementing a Management Information System\n\nThe Commission\'s managers need up-to-date and relevant personnel and financial information\nto effectively manage their resources. The source of this information is the personnel/payroll and\nfinancial management system operated for the Commission by DOL OIS would be better able\nto design and implement a system for distributing this information throughout the Commission\nif it were placed in an office with a Commission-wide orientation such as the recommended CIO\noffice.\n\n                      c.      Management of DOl Data Processing Services\n\nDOl currently provides data processing services to support the Commission\'s personnel, payroll\nand financial management functions. Current personnel in the Office of Administration do not\nhave sufficient expertise to monitor and manage the technical aspects of the services provided by\nDOL\n\n                      d.      Upgrading the Procurement System\n\nThe Office of Administration currently uses the PRISM acquisition tracking system to assist in\nperforming its procurement function. There appears to be a need to update the PRISM, or\nacquire a new system, to provide more task automation, greater integration with the rest of the\nfinancial system and more e-commerce functionality. The Office\'s contract specialists do not have\nsufficient expertise to monitor and manage the technical aspects of such an upgrade. The\nrecommended CIa office should be capable of providing the necessary technical assistance for\nthis task.\n\n               3.     Summary of Benefits from ReorganiZing         IRM Management\n\nConsistent with past studies on this subject (Section IV. B), we conclude that it is in the best\ninterests of the Commission as a whole, to reorganize the Commission\'s management structure\nso that the Office of Information Services and Office of Publishing report to the recommended\nCIO office (See figure 3 on next page).\n\nThe following benefits would result:\n\n        \xe2\x80\xa2      Demonstrated compliance with the Act and PRA.\n                                                                    Office   0/ Inspector General\n                                                10                       LI.S.   Inienwiional TraJ" C<J;mmi~$j(J1f\n\x0c                                                                                         OIG-AR-OI-OO\n\n\n                    Improved support for the Commission as a whole.\n                    Resolution of the concerns expressed by the GAO in 1987 that the Commission\n                    lacked a unitary approach to acquisition of IT resources.\n      \xe2\x80\xa2             Development of systems and processes for disseminating personnel and financial\n                    management information out to all parts of the Commission.\n      \xe2\x80\xa2             Provision of the necessary expertise for technical management of DOl services.\n      \xe2\x80\xa2            More efficient and more integrated approach to management ofthc Commission\'\n                   IT resources as a whole.\n      \xe2\x80\xa2             Better and more integrated approach to security management.\n      \xe2\x80\xa2            Creation of a more effective CIO position in which IRM responsibility is under\n                   the direction of one person with the authority for the entire Commission.\n      \xe2\x80\xa2             More integrated management of IT procurement.\n\n\n     We recommend that the Commission modify its management structure so that the Office oj\n\n2    Information Services and Office oj Publishing report t/J the CIO, when the position is\n     established and filled,\n\n\n\n                         Figure 3 - USITC Organization with Proposed CIO Office\n                                           u.s. Intemational\n                                           Judi> Comm;\'isicn\n\n\n\n\n              -,,"\'\n          I   Cl\'<\'iii,,"~\n\n\n\n\n    II~;;-II\n\n\n\n\n                                                                      Office o\xc2\xb7 Ins ector General\n                                                               11           u.S,I\'ltenw[i.:o,I<l   r..J <!   Com rn io:; joJl1\n\x0c                                                                                        OIG-AR-OI-OO\n\n\n       C,     The Commission\'s IRM Process\n\n\n               I,     IRMSC\nDesignating a ClO to report to the Commission through the Chairman, and reorganizing the\nOffice of Information Services and Office of Publishing to report to the CIO, will centralize IRM\nand eliminate the fragmentation of responsibilities observed by the GAO. Although these\nrecommendations are designed to centralize lRM, there is still the need for the IRMSC. The\nIRMSC serves a useful purpose by performing independent reviews of lRM, and bringing\ntogether both users and developers to provide the overall perspective needed to insure that the\nCommission\'s IR are effectively applied to the Commission\'s strategic objectives. Thus, as the\nprincipal user representative, the Director of Operations should continue to serve as IRM SC\nChairman, at least until our recommendations I and 2 are implemented.\nOne of the functions prescribed for the CIO by the Act is to "monitor the performance of IT\nprograms of the agency, evaluate the performance of those programs on the basis of the\napplicable performance measurements, and advise the head of the agency whether to continue,\nmodify, or terminate a program or project." Since this is also what the Chairman, IRMSC\nshould be doing, it follows that, once appointed, the CIO should assume the Chairmanship of\nthe lRMSC.\nCurrently, the IRMSC is not effectively performing its aSSigned functions. In part, this lack of\neffectiveness is due to gaps in established policies and, in part, to a lack of implementation of\nestablished policies.\nAn example of a current policy gap is that AU 94-0 I does not provide for IRMSC review of the\nOffice of Publishing\'s budget. As indicated in Table I, the Office of Publishing accounts for a\nsignificant portion of total Commission spending for IT. To be effective, the IRM process must\nconsider the entirety of the Commission\'s program for IT investments. Another policy gap is that\nAO 94-01 does not provide for lRMSC follow-up reviews of programs once they have been\ninitially approved. This removes much of the management discipline required for successful\nprogram execution.\n\nThe most serious shortcoming in the IRMSC, however, is the lack of activity. A review of IRMSC\nminutes indicates that the committee meets infrequently and only in response to an external\nrequest. Most recently, the Committee has not even met to consider the IT budget submission\nand, instead, has relied on the Budget Committee to carry out these responsibilities. Without\nan active and involved lIUvISC, the Commission\'s investments in IT will be lacking in the\nstrategic direction required to meet the Commission\'s overall performance objectives. We suggest\nthat the Chairman, IRMSC, plan a meeting schedule that more effectively implements the\nobjectives of AO 94-0 I, to include at least one annual meeting to consider the budget for IT\nprograms.\n\n\n\n\n                                                                   Office of Inspector Genera!\n                                               12                        u.s.   I~ltem ...ti()"w.J Trr:dG C..-.mlm,;;;icm\n\x0c                                                                                        OIG-AR-O 1-00\n\n\n\n\n      We recommend that the Director ~f Administration revise AO 94-01 to provide [or: (1)\n\n3     designation <if the CIO as chairman lIf the IRMSC, (2) inclusion lIf the OjjJcet~fPublishi/lg\n      Cost Center in the IRMSC budget review process, and (3)follltw-up reviews ofapproved IT\nprllgrams to assess prllgress toward established goals.\n               2.     Strategic Plan and Results-Based Management\nAnother shortcoming in the Commission\'s IRM proee", is the lack of criteria for measuring the\ncontribution of IT to the Commission\'s strategic objectives. Criteria are needed to evaluate the\nworth of a particular IT investment and to determine if the IT investment has met the intended\nobjective.\nPRA, Section 3506(b)(2), Federal Agency Responsibilities, provides that agencies are to develop\nand maintain a strategic IRM plan prescribing how IRM activities help accomplish agency\nmissions. Based on the Act, Section 5 123, Performance and Results-Based Management,\nparagraph (3), the Commission should prescribe performance measurements for IT assets now\nbeing used, or that will be acquired, and determine if those performance measurements capture,\nand quantify how well such assets support Commission programs.\nThe Strategic IRM plan is not fully effective in the IRM process because the plan is not being\nupdated. One management issue to be addressed is the need to assign specific responsibilities\nand deadlines for the preparation of the plan.\nOIS has drafted thc Commission\'s IRM Strategic Plan, The plan does not yet, however, provide\neither performance goals and measurement criteria for the IRM function or a summary of the\nCommission\'s computer security plan. Additionally, the Commission has not established results-\nbased evaluation criteria for managing IT assets.\nThe following recommendation is designed to enhance the Commission\'s framework for IT\nmanagement through the creation of a baseline IT plan and assignment of responsibilities for its\npreparation and updating.\n\n      We recommend that the Director, Office IIfInformation Services, finalize the IRM Strategic\n\n4     Plan, The plan should include peJjllrmance gIla Is and results-based evaluation criteria filr\n      managi\'lg IT resources and a summary o] the cltmputer securiry plan, Upon appointment,\nthe CIO should be assigned the responsibilityfor annual review and update of the IRM Strategic\nPiau.\n\n       D.      Personnel Assessment\n\nThe successful application of IR in meeting the Commission\'s strategic goals and objectives is\nheavily dependent on the knowledge and skills of Commission personnel who have IRM\nresponsibilities. As goals and objectives change and as technology changes, so must the required\nknowledge and skills required by the Commission\'s IRM personnel. The Commission thus faces\n\n\n\n                                                13\n                                                                     o   \'ce of I nspec/or General\n                                                                           lIS_ ]"t~PI<.ltic"\'\'\' t.; e Commil>sio~1\n\x0c                                                                                       OIG-AR-OI-DO\n\n\na continu ing challenge to identify the knowledge and skills required by its IRM personnel and\nto meet these requirements through appropriate training and recruitment efforts.\n\nThe Act prescribes certain responsibilities for the agency CIO in maintaining the qualifications\nof IRM personnel. These responsibilities are embodied in the following recommendation.\n\n     We recommend that the Commission \'s CIa annually pe,:!orm the following tasks as part\n\n5    11 the strategic plan fling process:\n\n        \xe2\x80\xa2      Assess the requirements establishedfnr Commission personnel regarding knowledge\n               and skill in IRM and the adequacy I!f such requirements.\n        \xe2\x80\xa2      Assess the-extent to which the positions mid personnel of the Commission meet\n               those requirements.\n        \xe2\x80\xa2      Develop strategies and specific plans for hiring, training and professional\n               development as necessary to rectify airy deficiencies in meeting those requirements.\n        \xe2\x80\xa2      Report to the Chairnrafl 11 th\xc2\xab Commissum 1m the prngress made in improving\n               IRM capability.\n\nUntil appointment 11 a CIa, the Director, aIS should perform these tasks.\n\n       E.      Security Plan\n\nVife noted the following characteristics about the Commission\'s information security plan:\n\n               I.     Major information systems (the Federal Financial System and Payroll\n                      Personnel Systems) outsourced via a memorandum of understanding with\n                      DOl and linked to the Commission through telecommunications networks\n                      are excluded. The Commission maintains a separate security plan for\n                      Electronics Dockets Information System (EDIS), which was not integrated\n                      into the Commission\'s computer security plan.\n\n               2.     Security of certain categories of information was prescribed by older\n                      Commission directives:\n\n                      I.     Directive 1345, Information Security Program (7/31/90).\n                      2.     Directive 1360.1, Automated Data Security Procedures (7/21/93).\n                      3.     Directive 7102 I, Guidelines for Using the USITC Local Area\n                             Network for Electronic Mail and Bulletin Board Purposes ([/8/90).\n                      We saw no indication that these directives were addressed or\n                      incorporated by reference in the information security plan.\n\n               3.     Rules applicable to non-technical users were prescribed in the security\n                      plan, but those applicable to systems personnel with high-level access to\n                      the system were not adequately prescribed.\n                                                                    Office 0/ Inspeetor General\n                                               14                         v,s. lnfenmliom,l T:n.Id.! COl-nmls.;iiJrI\n\x0c                                                                                       OIG-AR-O 1-00\n\n\n\n\n               4.     The Commission has not approved the information security plan.\n\n               5.      A summary of the security plan was not incorporated into the strategic\n                       JRM plan (currently in draft),\n\nOffice of Management and Budget Circular A-130, Appendix !II, Security of Federal Automated\ninformation Resources, Part A, Requirements, Section 3, Automated Information Security\nPrograms, provides that agencies implement and maintain a program to assure that adequate\nsecurity is provided for all in formation collected, processed, transmitted, stored, or disseminated\nin general support systems and major applications, Part A, Section 3, paragraph a, Controls for\nGeneral Support Systems, part (2), System Security Plan, provides that agencies incorporate a\nsummary of security plans into the strategic IRM plan required by PRA and Section 8(b) of this\ncircular.\n\nSection 5123 of the Act provides that agencies must ensure that the information security policies,\nprocedures and practices of the agency are adequate.\n\nOur recommendation is designed to help strengthen the Commission\'s data security.\n\n     We recommend that the Director, Office of Informattan Services, revise the information\n\n6    security plan. The plan should address rules applicable to high-level systems users,\n     contents of applicable previous security directives, security matters pertaining to\noutsourced systems, and EDIS security. Upon appoinfmmt, the CIa should be assigned\nresponsibility for annual review and updating \'1 the information security plan,\n\n\n\n\n                                                 15\n                                                                               0/\n                                                                     Office Inspector General\n                                                                          us- Irdcrn"iioJ>"\'! Trad" Comm\'ssi"rr\n\x0c                                                                                        OlC-AR-OI-OO\n\n\nVIII. SUMMARY OF RECOMMENDATIONS\n\nBased on our review of the Commission\'s IRM function and recent legislation pertaining to IIZM,\nwe recommend that:\n\n       I) The Commission establish a separate position designated as the Commission\'s Chief\n       Information Officer, reporting directly to the Commission through the Chairman, and\n       that the Commission integrate the CIO function into the strategic planning process and\n       designate the CIO as a member of the budget committee.\n\n       2) The Commission modify its management structure so that the Office of Information\n       Services and Office of Publishing report to the CIO, when the position is established and\n       filled.\n\n       3) The Director of Administration revise AO 94-0 I to provide for: (I) designation of the\n       CIO as Chairman of the IRMSC, (2) inclusion of the Office of Publishing Cost Center in\n       the IRMSC budget review process and (3) follow-up reviews of approved IT programs to\n       assess progress toward established goals,\n\n       4) The Director, Office of Information Services, finalize the IRM Strategic Plan. The plan\n       should include performance goals and results-based evaluation criteria for managing IT\n       resources and a summary of the computer security plan, Upon appointment, the CIO\n       should assume responsibility for annual review and update of the IRM strategic plan.\n\n       5) The CIO make an annual assessment of the knowledge and skill requirements of IRM\n       personnel and the extent to which these requirements are being met. The CIO should\n       develop plans for remedying any deficiencies and should report to the Chairman on the\n       progress being made in improving IRM capability. Until appointment of a CIa, the\n       Director, OIS, should perform these tasks.\n\n       6) The Director, Office oflnformation Services, revise the information security plan. The\n       plan should address rules applicable to high-level systems users, contents of applicable\n       previous security directives, security matters pertaining to outsourced systems, and EDIS\n       security. Upon appointment, the cIa should be assigned responsibility for annual review\n       and updating of the information security plan.\n\n\n\n\n                                                                   Office of Inspector General\n                                               16                        i: S,   InlemQtiOll\'ll   Trad.. C<Jmmls~i<Jtl\n\x0c                                                                                        OIG-AR-OI-OO\n\n\nAPPENDIX I\n                              METHODOLOGY AND SCOPE\n\nCotton & Company, LLP was retained by the Office of Inspector General, to review the\nCommission\'s IRM function, with emphasis on the Commission\'s progress towards implementing\nthe Clinger-Cohen Act. We performed our work according to the criteria established by the\nGeneral Accounting Office\'s Yellow Book as applicable. These standards require that we obtain\nsufficient relevant data to afford a reasonable basis for our conclusions and recommendations.\n\nWhen performing our work we considered the Commission\'s size and the benefits of maintaining\nits current level of operating efficiency with future costs that may result from our\nrecommendations. Our recommendations are intended to maintain the present level of efficiency\nin the Commission\'s use of personnel resources, within the requirements of the Clinger-Cohen\nAct and relevant regulations.\n\nAs part of this engagement, we considered the Clinger-Cohen Act, the Paperwork Reduction Act\nof 1995, The Chief Financial Officers\' Act of 1990, the Federal Acquisition Streamlining Act of\n1994 (Title V), and the Government Performance and Results Act of 1993.\n\nWe also considered relevant Federal regulations including:\n\n               1.0MB Circular A-II, Preparation and Submission of Budget Estimates;\n\n               2.     OMB Circular A-130, Management of Federal Information Resources;\n\n               3.     OMB Memorandum M-97-02, Funding Information Systems Investments;\n\n               4.     Executive Order 130 II, Federal Information Technology: and\n\n               5.     Other guidance issued by the Chief Information Officers\' Council.\n\nAdditionally, we studied the Directives and Administrative Orders issued by the Commission\nrelating to IRM policies and procedures. We studied mission statements of specific offices and\norganizational units that are involved in IT management. We reviewed the Commission\'s budget\npresentations to Congress, the five-year Strategic Plan, the five-year IT Strategic Plan currently\nin draft, and the Commission\'s Computer Security Plans. We studied previous relevant audit\nreports issued by the Commission\'s, IG, GAO, and other pertinent consultant reports issued to\nthe Commission\'s management.\n\nWe interviewed the directors of the offices of operations and administration and some of their\nsenior staff. We also interviewed and corresponded with the director of the 015. In addition, the\nOIG contacted office directors in the Office of the Secretary, Office of the General Counsel,\nOffice of Economics, Office of External Relations, Office of Equal Employment Opportunity,\n\n                                                                    Office ofInspector- General\n                                               I-I                       [o\'S   blil!-m{ib\'OJlll!   Tr,,-J~ C()lmHi\';~\',<m\n\x0c                                                                                         OIG-AR-())-OO\n\n\nAPPENDIX I\n\nOffice of Industries, Office of Investigations, Office of Tariff Affairs and Trade Agreements, and\nOffice of Unfair Import Investigations.\n\nWe assessed how effectively the Commission has implemented the provisions of the Clinger-\nCohen Act and the Act\'s associated legislation and regulations. We identified certain areas where\nthe Commission is not in compliance with the Clinger-Cohen Act and the Act\'s associated\nlegislation or regulations; and we identified areas that need improvement, and developed\nappropriate findings and recommendations.\n\nNo limitations were placed on the scope of Our work by the Commission, and we were provided\nall information that was necessary to analyze, investigate and document the facts to formulate\nour findings and recommendations,\n\n\\lVe conducted our work during May to July 1999, and coordinated the [011 ow up with the IG\nand Commission management into the summer of 2000. VVe express our appreciation for the\ncooperation extended to us by office directors and staffs of the Offices of Operations,\nAdministration, and Information Services, Secretary, General Counsel, Economics, External\nRelations, Equal Employment Opportunity, Industries, Investigations, Tariff Affairs and Trade\nAgreements, and Unfair Import Investigations.\n\nAn exit conference was held on January 24, 2000 with Charlie Hayward and Mano Covindara],\nAuditors, Cotton & Company LLP: Pamela Dyson, Director, Office of Publishing: Lynn\nFeatherstone, Director, Office of Invest igations: Martin Smith, Director, OIS; Steve Mclaughlin,\nDirector, Office of Administration; Paul Bardos, Assistant General Counsel, Office of General\nCounsel, Judith Borek, Auditor, Office of Inspector General; and Linda Linkins Assistant to the\nDirector, Office of Operations,\n\n\n\n\n                                               1-2\n                                                                    Office     0/\n                                                                               Inspector General\n                                                                         us, Inicmo:.llioJllJI Tr\'ld~ CuJt/m,,,siol]\n\x0cAPPENDIX II                                                                         OIG-AR-O 1-00\n\n\n         SUMMARY OF IRM PROVISIONS OF THE CLINGER-COHEN ACT\n\nI.     THE CLINGER-COHEN ACT\n\nWhat is now known as the Clinger-Cohen Act was originally enacted as Division D, Federal\nAcquisition Reform Act, and Division E, Information Technology Management Reform Act\nI Public Law (PI.) 104-106 J, of the National Defense Authorization Act for Fiscal Year 1996 (PL\n104-450). Divisions 0 and E were renamed as the Clinger-Cohen Act by the Omnibus\nConsolidated Appropriations Act (Pl. 104-208) of 1997.\n\nII.    OMB REQUIREMENTS\n\nThe Clinger-Cohen Act requires OMB to:\n\n               I.     rssue directives to executive agencies regarding capital planning and\n                      investment control, revisions to mission-related and administrative\n                      processes, and information security;\n\n               2.     Promote and improve the acquisition and usc of IT through performance-\n                      based and results-based management;\n\n               3.     Use the budget process to analyze, track, and evaluate the risks and results\n                      of major agency capital investments in IT information systems, and\n                      enforce accountability of agency heads; and\n\n               4.     Report to Congress on the agencies\' progress and accomplishments.\n\nThe Clinger-Cohen Act amends the Paperwork Reduction Act (PRA) to require executive agency\nheads to appoint CIOs at a senior level, responsible forthe agency\'s IRM activities and reporting\ndirectly to the agency head.\n\nIII.   EXECUTIVE AGENCY REQUIREMENTS\n\nThe Clinger-Cohen Act provides that Executive Agencies are to:\n\n               I.     Design and implement a process for maximizing the value and assessing\n                      and managing the risks of IT acquisitions. The Clinger-Cohen Act lists\n                      specific elements agencies must include in that process and requires\n                      integration of the process with the processes for making budget, financial,\n                      and program management decisions.\n\n\n\n\n                                              II-I\n                                                                    Office   of Inspector General\n                                                                         us   bJt~r/ldti<JJlul TmCk C<Jmmi3~j()n\n\x0cAPPENDIX II                                                                       OIG-AR-OI-OO\n\n\n\n             2.      Analyze agency mission-related processes and administrative processes,\n                     revising them as appropriate, and they must benchmark their processes\n                     against comparable processes of public or private sector organizations.\n\n             3.      Ensure that information security policies, procedures, and practices are\n                     adequatc to protect the agency\'s resources.\n\n             4.      Assess, as part of the Government Performance and Results Act strategic\n                     planning and performance evaluation process, (I) requirements for agency\n                     personnel regarding knowledge and skills in IRM, and (2) the extent to\n                     which positions and personnel at executive and management levels in the\n                     agency meet those requirements. Agencies must develop strategies and\n                     plans for hiring, training, and professional development to rectify any\n                     deficiencies found.\n\nIV.    SUMMARY OF RELEVANT CLINGER-COHEN ACT SECTIONS\n\nRelevant sections of the Clinger-Cohen Act are summarized and discussed below:\n\n      A.      Section 5002. Definitions. Provides definitions of key IT terms, including the\n              following:\n\n              I.     Information Technology: Any equipment or interconnected system or\n                     subsystem of equipment, that is used in the automatic acquisition, storage,\n                     manipulation, management, movement, control, display, switching,\n                     interchange, transmission or reception of data or information by the\n                     executive agency.\n\n              2.     information Resources: Information and related resources such as personnel,\n                     equipment, funds, and IT.\n\n              3.     Information Resources Managl\'mcnt: The process of managing information\n                     resources to accomplish agency missions and to improve agency\n                     performance, including through the reduction of information collection\n                     burdens on the public.\n\n       B.     Section 5 I 13. Performance-based and results-based management. Describes\n              the functions and duties of the Director of Office of Management and Budget.\n              Emphasis is on Capital Planning and Investment Control (Section 5112), and\n              Performance-based, Results-based management (Section 5113). The Clinger-\n              Cohen Act explicitly requires proper compliance with the PRA. Subtitle B,\n              Director of t.he Office of Management and Budgct, Section 511 I, stales: "In\n              fulfilling the responsibility to administer functions assigned under ... 144 USC\n                                                                  Office ofInspector General\n                                             11-2                      U,S l~,t~muti{)llul   rreld.. Commis.;ILtJ1\n\x0cAPPENDIX II                                                                          OIG-AR-OI-DO\n\n\n          Chapter 35] the director shall comply with this title with respect to the specific\n          matters covered by this title."\n\n     C.   Section 5121. Responsibilities. In the context of 44 USC Chapter 35, provides\n          that the agency head is to comply with the provisions of Clinger-Cohen Act in\n          fulfilling the duties under the PRJ\\.\n\n     D.   Section 5122. Capital planning and investment control. Provides that the\n          Agency Head is to design and implement in the agency a process for maximizing\n          the value and assessing and managing the risks of the IT acquisitions of the\n          executive agency. Several requirements for this process arc described. They\n          include:\n\n              I.    Criteria to be applied for acquisition of IT,\n\n          2.        Selection of investments in keeping with those criteria;\n\n          3.        Monitoring the progress of IT investments;\n\n          4.        Management of IT investments;\n\n          5.        Evaluation of the results of such investments, and;\n\n          6.        Integrating these with the budget, financial and program management\n                    decisions of the agency.\n\n     E.   Section 5123. Performance and results-based management. Provides the\n          Agency head is to;\n\n              I.    Establish goals for improving the delivery of services to the public through\n                    the effective me of IT.\n\n              2.    Prepare an annual report to be included in the budget submlssion to\n                    Congress on the progress towards achieving these goals.\n\n          3.        Ensure that performance measurements are prescribed for IT used or\n                    acquired for the agency, and that these measure how well the IT supports\n                    the agency\'s programs.\n\n              4.    Ensure the information security policies, procedures, and practices are\n                    adequate.\n\n     F.       Section 5124. Acquisitions of information technology. This section deals\n              with the authority of Agency Heads to acquire IT.\n                                                                    Office 0 I nspeetor General .\n                                             II-3                        u. $. Illicmuti<Jllu Trcl e G"nmissioll\n\x0cAPPENDIX II                                                                    OIG-AR-01-00\n\n\n\n     G.   Section 5125. Agency Chief Information Officer. Section 5 12 5(a) modifies\n          Section 3506 of PRA by striking out the term "Senior Official" and replacing it\n          with a new designation, "Chief Information Officer".\n\n          According to Section 5125(b), an executive agency CIO is responsible for the\n          following:\n\n          I.       Providing advice and other assistance to the head of the executive agency\n                   and other senior management personnel to ensure that IT is acquired and\n                   IR are managed for the executive agency, in a manner that is consistent\n                   with this act and the Paperwork Reduction Act.\n\n          2.       Developing, maintaining and faCilitating the implementation of a sound\n                   and integrated IT architecture for the agency.\n\n          3.       Promoting the effective and efficient design and operation of all major\n                   IRM processes, including improvements to work processes of the agency.\n\n          Section 5I25(c) applies to the duties and qualifications of Chief Information\n          Officers of Federal agencies listed in 31 USC Section 90 I (b). The Commission is,\n          however, not one of the agencies listed in 3 I USC 90 I (b). The conference report\n          accompanying the Clinger-Cohen Act provides that the conferees intend that\n          ClOs, in agencies other than those listed in 31 USC Section 901 (b), perform\n          essentially the Same duties as CIOs in those agencies.\n\n          Section 5 I25(c)(3)(A) through (D) require that executive agencies must:\n\n              I.   Assess the requirements established for agency personnel regarding\n                   knowledge and skill in IRM.\n\n          2.       Assess the extent to which the positions and personnel at the executive\n                   level of the agency and the positions and personnel at the management\n                   level of the agency below the executive level meet those requirements.\n\n          3.       Rectify any deficiency in meeting those requirements; develop strategies\n                   and specific plans for hiring, training and professional development.\n\n          4.       Report to the head of the agency on the progress made in improving IRM\n                   capability.\n\n     H.   Section 5126. Accountability. This section requires that each agency head is\n          accountable to ensure that the accounting, financial, and asset management and\n          other information systems are designed, developed, maintained, and used\n                                                                        0/\n                                                               Office Inspector General\n                                          U-4                       os 11rfcmaHcmaf TruJ~ C)mmi,,5rO>J\n\x0cAl\'PENDIX II                                                                  OIG\xc2\xb7AR-O j-OO\n\n\n           effectively to provide financial and performance data for financial statements. This\n           section also requires such information to be reliable, consistent, and timely. The\n           head of the agency is also accountable to ensure that the statements support\n           assessments and revisions of mission-related processes and administrative\n           processes of the executive agency and the capability to measure performance of\n           investments made by the agency.\n\n      L    Section 5127. Significant deviations. The head of each agency is responsible\n           under Section 3506(b)(2) to identify any major IT acquisition program that has\n           significantly deviated from cost, performance or schedule goals established for the\n           program. Subtitle D provides descriptions of certain responsibilities regarding\n           efficiency, security and privacy of federal computer systems, most of which are\n           under the authority of the Secretary of Commerce. Subtitle E applies to national\n           security systems, and does not need detailed consideration for this audit.\n\n      J.   Section 5201. Procurement procedures. The federal Acquisition RegulatOlY\n           Council shall ensure that the process for acquisition of IT is simplified, clear, and\n           understandable and provides the capability to incorporate commercial IT in a\n           timely manner.\n\n      K.   Section 5402. Identification of excess and surplus computer equipment.\n           Not later than six months after the enactment of this Act, the head of each agency\n           is responsible to take an inventory of all computer equipment under the control\n           of that official. In turn, in accordance with title II of the Federal Property and\n           Administrative Services Act of 1949, the head of the agency will maintain an\n           inventory of excess or surplus computer equipment.\n\n\n\n\n                                                                 o\n                                           11-5\n\x0c\x0cAPPENDIX III                                                                         01 C~AR-O I -00\n\n     SUMMARY OF IRM PROVISIONS OF THE PAPERWORK REDUCTION ACT\n\nI.     THE PRA OF 1995\n\nThe purpose of the Paperwork Reduction Act (PRA) is to minimize the public\'s paperwork\nburdens resulting from the collection of information by or for the federal government, to\ncoordinate federal information resource management policies, to improve the dissemination of\npublic information, and to ensure the integrityofthe federal statistical system. PRA also requires\nagencies to indicate in strategic information management plans how they arc applying IR to\nimprove the product ivitv, efficiency, and effectiveness of government programs, including\nimprovements in the delivery of services to the public.\n\nPRA requires OMB, in consultation with agency heads, to set annual government-wide goals for\nthe reduction of information collection burdens by at least 10 percent during fiscal years j 996\nand 1997 and 5 percent during each of the next 4 fiscal years. It also requires OMB, in\nconsultation with agency heads, to set annual agency goals that reduce information collection\nburdens imposed On the public to the maximum extent practicable. Agencies cannot conduct or\nsponsor a collection ofinformation unless the agency has taken a number of specified actions and\nOMB has approved the collection, rho ugh the full Commission may void an OMB disapproval.\nOMB may not approve the collection of information for a period in excess of 3 years. PRA\nrequires OMB to conduct pilot projects to test alternative policies and procedures.\n\nRelevant sections are summarized below.\n\n       A.      Section 3502. Provides some definitions, included          In   the following sub-\n               paragraphs:\n\n               I.     The term \'information resources\' means information and related resources,\n                      such as personnel, equipment, funds, and IT.\n\n               2.     The term \'information resources management\' means the process of\n                      managing IR to accomplish agency missions and to improve agency\n                      performance, including through the reduction of information collection\n                      burdens on the public.\n\n               3.     The term \'information system\' means a discrete set of IR organized for the\n                      collection, processing, maintenance, use, sharing! dissemination, or\n                      disposition of information.\n\n               4.      The term \'information technology\' has the same meaning as the term\n                       \'automatic data processing equipment\' as defined by Sections] I I (a)(2)\n                       and (3)(c)(i) through (v) of the Federal Property and Administrative\n                       Services Act of 194940 USC Sections 759(a)(2) and (3 )(c)(i) through (v).\n\n\n                                                                    Office of Ins ector General\n                                              III-I                      u.s.           e Cc;.mmi5sion\n                                                                               f,lt<!H"lh\'<l1I<l   r<.l\n\x0cAPPENDIX III                                                                OIG-AR-0I-00\n\n\n     B.    Sections 3503, 3504 and 3505. Describes the setting up of an Office of\n           Information and Regulatory Affairs under the Office of Management and Budget\n           (OMB) and the functions of the Director, OMS and this office.\n\n     C.    Section 3506. Federal agency responsibilities.\n\n           I.    Subsection (a)(2) (A) requires that a "senior official" be designated to carry\n                 (Jut the agency\'s responsibilities under this act. This senior official is to\n                 report to the Head of the Agency. Note: Section 5125 of the Clinger-\n                 Cohen Act amended the words "senior official" to Chief Information\n                 Officer.\n\n           2.    Paragraph (a)(3) requires that this senior official head an office responsible\n                 for ensuring agency compliance with the IRM responsibilities established\n                 under this chapter.\n\n           3.    Subsection (a)(4) states that, "Each agency program official shall be\n                 responsible and accountable for IR assigned to and supporting the\n                 programs under such official", and "shall define program information\n                 needs and develop strategies, systems and capabilities to meet those\n                 needs." Under this section, it would appear that all departmental heads\n                 of the Commission are responsible to acquire sufficient knowledge about\n                 l1U\\-1, so as to satisfy this section.\n\n           4.     Paragraph (b)(2) states "in accordance with guidance by the Director,\n                  [each agency shall] develop and maintain a strategic IRM plan that shall\n                  describe how IRM activities help accomplish agency missions."\n\n           5.     Paragraph (b) subparagraph (3 )(A) states "ensure that IRM operations and\n                  decisions are integrated with organizational planning, budget, financial\n                  management, human resources management and program decisions".\n\n           6.     Paragraph (h) deals with Federal Information Technology, and states that\n                  each agency shall, among others:\n\n                  a.     Assume responsibility and accountability for IT investments.\n\n                  b.     Promote the use of IT by the agency to improve the productivity,\n                         efficiency, and effectiveness of agency programs.\n\n\n\n\n                                                                o\n                                         1lI-2\n\x0cAPPENDIX IV\n\n   FUNCTIONS AND RESPONSIBILITIES OF IRM OFFICES AND THE IRMSC\n\n     A.   Office of Operations. The Office of Operations is responsible for\n          coordinating and directing the Commission\'s investigative, analytical, and\n          research work. The Director of Operations reports directly to the Commission\n          and currently has the following IRM-related responsibilities:\n\n          I.     Designated as the Senior Official for IRM in accordance with the PRA\n\n          2.     Serving as Chairman of the IRM Steering Committee (IRMSC).\n\n          3.     Serving as Chairman of the Information Security Committee.\n\n     B.   Office of Infonnation Services. OIS is responsible for providing IT support\n          for all program, administrative, and executive offices of the Commission. The\n          Director, OIS, reports to the Director of Operations. Specific IRM-related\n          responsibilities of Director, OIS include:\n\n          I.     Administering the Commission\'s computer network, major application\n                 systems, and voice and data communications system, including Help\n                 Desk service.\n\n          2.     Implementing major IT projects, including analysis of requirements and\n                 research of technical alternatives; technical assistance for acquisition of\n                 outside products and services; and installing, configuring, and\n                 troubleshooting system components.\n\n          3.     Developing and maintaining computer systems and programs to\n                 produce analytical reports on international trade and related data.. and\n                 other computer applications required by the Commission, using a\n                 variety of programming languages and tools.\n\n          4.     Maintaining the central database facility of the Commission, including\n                 the Commission\'s database of international trade and tariff\n                 information.\n\n          5.     Supporting program offices through acquisition and distribution of\n                 information content in any medium (paper, electronic), and\n                 coordinating information requirements agency-wide.\n\n          6.     Operating or supporting the Commission\'s Web sites.\n\n          7.     1V1anaging the computer and information systems security program.\n\n\n\n                                                              Office 0/ I nspeetor General\n                                         IV-l                       lJ.   e. ],dcrnuficmal] zz ezziz:\n\x0cAPPENDIX IV                                                                        OIG-AR-O 1-00\n\n          8.     Managing the Commission\'s records management program. Managing\n                 and establishing procedures for accountabilitv of ADP equipment.\n\n          9.     Coordinating strategic and operating plans, and an information\n                 architecture that promotes the goals of the Commission.\n\n          10.    Serving on the lRMSC\n\n          [1.    Serving On the Information Security Committee.\n\n     C    Office of Administration. The Office of Administration is responsible for\n          coordinating, directing and controlling the administrative and management\n          functions of the Commission. The Director of Administration reports directly\n          to the Commission. IRM-related responsibilities of the Director of\n          Administration include:\n\n          I.     Managing all IT procurement.\n\n          2.     Chairing the Budget Committee.\n\n          3.     Serving on the IRMSC.\n\n          4.     Serving on the Information Security Committee.\n\n          5.     Serving as the Personnel Security Officer for the Commission.\n\n          6.     Supervising lR in Publishing, OrB and Procurement.\n\n     D.   Office of Publishing. The Office of Publishing is responsible for supporting\n          the Commission\'s requirements for production of text, audiovisual and\n          broadcast material. The Director, Office of Publishing reports to the Director,\n          Office of Administration. IRM-related responsibilities of the Director of\n          Publishing include:\n\n          I.     Administering the publishing management program, which includes\n                 Government publications design and composition, visual design and\n                 presentation, electronic file preparation, and printing functions (both\n                 electronic printing and traditional offset printing and binding).\n\n          2.     Maintaining an independent computer publishing and digital printing\n                 network. Responsible for all property management matters associated\n                 with the independent network.\n\n          3.     Administering and maintaining all   agcnL)\'-\\\\~de   publishing programs.\n\n                                                              Office of Inspector General\n                                        [V-2                          lIS.   Il\'Iil!m\'1f1QIl<1!   Tr.:J.J~ COll1mi";~\xc2\xb7I(;1I\n\x0cAlJPENDIX IV                                                                   OlG-AR-OI-OO\n\n\n           4.     Managing the budget and accounting for the centralized agency-wide\n                  publishing cost center.\n\n           5.     Administering and managing the agency-wide audiovisual and cable\n                  broadcast programs.\n\n                  a.     Developing and disseminating agency-wide guidance on report\n                         layout and design, publication production guidelines, and\n                         printing and finishing processes in coordination with the\n                         program offices.\n\n                  b.     Developing and providing technical support, training, and\n                         guidance on publication production, electronic composition,\n                         digital printing, formatting and converting electronic documents\n                         for printing, and electronic file preparation in coordination with\n                         the program offices.         .\n\n     E.    Information Resources Management Steering Committee (IRMSC). The\n           rRMSC is responsible for establishing IRM policies and procedures, identifying\n           IRM requirements and establishing IRM priorities, based On the requirements\n           of the Commission as a whole. The IRMSC is charged with the responsibility\n           to ensure that IRM initiatives have top management support. The IRMSC also\n           is responsible for assisting the Senior Agency Official for IMI (The Director of\n           Operations) in coordinating major IRM initiatives. In particular, the IRMSC is\n           responsible for:\n\n           I.     Coordinating and integrating the strategic IRM plan with the\n                  Commission\'s budget process.\n\n           2.     Creating standards and procedures for managing and coordinating\n                  decentralized information systems.\n\n           3.     Promoting:\n                  a.    "Top-down" centralized management of information life-cycle\n                        activities and IRM functions.\n                  b.    An integrated approach to lRM.\n                  c.    The cost and value of rRM.\n                  d.    The use of new technologies to improve the effective use and\n                        dissemination of information.\n\n\n\n\n                                                              Office of Inspector Geneml\n                                         IV-3                       u\xc2\xbb. InfcmcdiOJ",1 Toade c:,\'.I1/nl:\';$i.;Jn\n\x0cAPPENDIX IV                                                            OJ G-AR-O 1-00\n\n\n          4.   Periodically reviewing all IRM expenditures with the IRM cost centcr\n               managers as well as reviewing and approving:\n               a.     The annual IRM cost center budget from the Director, OIS, in\n                       coordination with the Commission\'s program managers.\n               b.     IRM expenditures not provided in the lRM cost center budget,\n                      or in excess of $25,000. Directors of Operations, Adrnlnistration\n                      and OIS state the threshold they usc [or review is $50,000.\n\n          5.   Assisling the 015 and the Procurement Division in the acquisition of\n               IRM goods and services.\n\n          6.   Establishing IRM subcommittees and working groups as needed.\n\n          7.   Preparing an assessment of personnel resources and IT skills, including\n               those in the OIS and other of the Commission\'s offices; and developing\n               a plan for using those resources, including defining responsibilities and\n               roles for Commission personnel outside OIS that possess technical\n               proficiency in automation skills.\n\n          8.   Overseeing periodic reviews of selected IRM program activities for\n               compliance with General Services Administration and OMB review\n               programs.\n\n\n\n\n                                      IV-4\n\x0cAPPENDIX V                                                                                         OIG-AR-O I \xc2\xb700\n\n                   HISTORY OF CHANGES IN THE COMMISSION\'S\n                       ORGANIZATION FOR IRM SINCE 1989\n\nPrior to J 989, the Commission\'s JRM function was primarily the responsibility of the Office of\nData Systems in the Office of Operations. Based on the Arthur Andersen study in 1988 and\nGSAs Federal IRM Planning Support Center (F1PSC) review in 1989, organizational changes\nwere made which transferred the IRM function to the Office of Administration.\n\nFigure 4 - USlTC Organization                                  January 23, 1999\n                                                                                  In October 1989, the Library\n                                                                                  Services Division of the Office\n                     u.s,   trlwm,fu",,1 Tr>do CQ(nrrl,HIQIl\n                                                                                  of Dat a        Systems was\n                                                                                  transferred to the Office of\n                                    CDIoIlIlflSOtl   J                            Administration, reporting to\n                                                                                  the Director of Administration.\n                                                                                  In December 1989, the\n                                                                                  remainder of the Office of Data\n                                                                                  Systems, including the\n                                                                                  Statistical Services Division,\n                                                                                  was moved to the Office of\n                                                                                  Administration             and\n         IL~I~\n           ~Oo.d\n                                                                                  redesignated as the OIRM.\n                                                                                  Also, in December J 989, the\n                                                                                  Director of Administration\n                                                                                  replaced the Director of\n                                                                                  Operations as the designated\n                                                                                  senior official for IRM.\n\n\nFigure 5 - USITC Organization\n\n\n\n\n                                                                                   Office of Inspector General\n                                                                  V-I                    u.s. 11demati\';"aJTrild~   C"\'mmi"5ioll\n\x0cAPPENDIX V                                                                          OlG-AR\xc2\xb7O I-00\n\nWith regard tothe Information Systems Planning Committee (IS PC), an advisory body reporting\ndirectly to the Chairman, Arthur Andersen recommended that It be changed to allow for senior\nmanagement involvement and a mechanism for user representation Lhrough subcommittees. The\nFIPSC also recommended a committee of more senior managers and a change in tit.le t.o reflect.\nits responsibilities for IRM. The Chairman agreed with these rccommcndntions and on January\n5, J 990, issued Administrative Order (AO) 90-09 which abolished the ISPC and established the\nInformation Resources Management Steering Committee (lRMSC). The Director of\nAdministration was designated as the Chairman of the Committee. Other members included t.he\nDirector of Operations, t.he\nExecutive Assistant to the Figure 6 \xe2\x80\xa2 USlTC Organization                   January 7, 1993\n                                                           ------\nChairman, the Director of\nOIRM, and three rotating\nmembers. The primary mission\nof t.he [RMSC was to oversee\nlong range [RM planning and to\nreview and approve a long range\nplan developed by the Director,\n01 RM         Lo    meet.    the\nCommission\'s IT needs.\nSubsequently, the Director,\nOffice of Operations was\ndesignated Chairman of the\nIRMSC by AO 93-16, dated\nApril 7, 1993.                     ~!~\n                                      ..-\n                                       Q,....",\n\n\n\n\nIn January 1993, the Library\nServices office and the Statistical   Figu!e7 - USITC Organizat_io_n                  A_p~I_il 4, 1993\nServices component of OIRM\nwere moved from the Office of\nAdministration back to t he\nOffice of Operations (see Figure\n6).\n\nIn April 1993, the Director,\nOffice of Operations, was\ndesignat.ed as the senior official\nfor IRM replacing the Director\nof Administration in that\ncapacity. Also, in April 1993,\nthe rest. of OIRM was moved to\nthe Office of Operations (see\nfigure 7) and, in February 1994,\nwas combined with Library\n\n\n                                                                 Office o{lnspector General\n                                                  V-2                  us. l"t~mJtio\'Jnl Tr.:1d<l Commi;1.>i01/\n\x0cAPPENDIX V                                                                          OIG-AR-OI-00\n\nServices and Statistical Services to form what is now Office of Information Services (OIS) (see\nFigure 8).\n\nA review of Commission records does not indicate the existence of any study. such as preceded\nthe 1989 move, to justify the return of OIRM to the Office of Operations. Commission\nemployees attributed these organizational changes to a perceived lack of responsiveness by the\nOffice of Administration to the requ irements of the Office of Operations and to personnel issues\nwithin the Office of Administration.\n\nIn February 1994, a former employee in the Office of Economics was appointed as the Director\nOIS and currently remains in that position. The former head of OIRM was appointed as the\nAssistant Director. These appointments could be interpreted as signaling a decreased emphasis\non the role of OIS in supporting Commission-wide IR requirements and an increased emphasis\non supporting Office of Operations requirements.\n\nOIS is presently an office within the Office of Operations. OIS is now comprised of three\nDivisions: Library Services, Statistical and Editorial Services Division, and Information Systems\nDivision.\n\n\n\nFigure 8 - USITC Organization              March 6, 1994\n\n\n\n\n                                                                   Office of Inspector Geneml\n                                               V-3                       1,/,S.I!lkn/l.1tirmu!Tr."d~C.,mmj~I>I"ll\n\x0c\x0cChairman                                                        Appendix VI\n\n\n\n\nUNITED STATES INTERNATfONAL TRADE COMMISSION\n\n                              WASH1NGTON, DC 20436\n\n\n\n\nSepternber 25,2000                                                       C074-X-015\n\nMEMORANDUM\n\nTO:         Acting Inspector General\n\nFROM:       Chairman Koplan\n\nSUBJECT: Agency response to recommendations 1-6 of Draft Report 0IG-AR-0 1-00\n         (Review ofthe Commission\'s IRM Function)\n\n1.     We recommend that the Commission establish a separate position designated\n       as lTC\'s Chief Information Officer, reporting directly to the Commission\n       through. tke Chnirman. We also recommend that the Commission: integrate\n       tire CIOfunction into the strategic planning process; designate the CIO as a\n       member oftire budget committee.\n\nResponse: Agree, in part\n\nAgreement with this recommendation is limited to the establishment of a Commission\nCIO and the integration of the CIa function into the strategic planning process and\nbudget committee. As noted below, the Executive Review Board (ERB) is evaluating\nwhere in the organizational structure the cia fits and to whom the cia reports.\n\nPlan for Implementation:\n\nOn May 4, 2000, Chairman Bragg sent a memorandum to you noting her belief that\nthere was general consensus among the Commissioners in support of the proposed\ncreation of a separate position designated as the agency\'s CIO. The memorandum\nnotes, however, that given the Commission\'s uncertain financial position at the time,\nimplementation of the proposal would have to wait until the Commission\'s funding\nlevel was more certain.\n\nSince that time our funding situation has stabilized somewhat. Therefore, I have asked\nthe ERB to followup on the initial proposal with the understanding that any final action\nthat would be taken would remain dependent on our fiscal situation. The ERB\n\x0chas begun the process of preparing a description of the duties and responsibilities of\nthe CIa position. The ERB expects to complete this task by December 2000.\n\n2.     Recommend that the Commission ItUJdify its management structure so the\n       Office ofInformation Services and Office ofPublishing report to the CIO,\n       when the position is established and filled.\n\nResponse: Agree, in part\n\nPlan for implementation:\n\nThe ERB will carefully evaluate and address the issue of organizational structure in its\nreview of the creation of a CIO position. The question of what. if any, offices or\nfunctions should report to the CIO is receiving scrutiny from the ERB. Their report to\nme will include a recommendation on this matter.\n\n3.      file recommend that the Director ofAdministration revise AO 94-01 to\n       provldefor: (1) designation ofthe CIO as chairman ofthe IRMSC, (2)\n       inclusion of the Office ofPublishing Cost Center in the IRMSC budget\n       review process and (3) followup reviews ofapproved IT program to assess\n       progress toward established goals.\n\nResponse: Agree\n\nPlan for implementation:\n\nOnce the duties and responsibilities of a CIO have been defined by the ERB and\nagreed upon by the Commission, as noted above, the Office of Administration will\nrevise any and all affected Administrative Orders.\n\n4.     Finalize the IRM Strategic Plan, to include performance goals and results-\n       based evaluation criteria for managing IT resources and a summary ofthe\n       computer security plan.\n\nRecommended response: Agree\n\nPlan for implementation:\n\nThe IRM Strategic Plan is a key document for defining how the agency will use\ninformation technology and resources to help achieve goals defined in the USITC\nStrategic Plan and Performance Plan. The IRM Plan will be updated annually by the\nCIO I and will address goals identified in the annual update of agency Performance\nPlan as well as other requirements for improving current operations and the evolution\nofthe agency\'s IT Architecture. The target for completion of the annual update will be\nOctober I.\n\nThe following tasks are planned to linalize the IRM Strategic Plan for FY200112005:\n\n\n        I   By the Director, DIS. pending appointment ofa CIO.\n\n                                             2\n\x0c(1)    OIS will complete the review ofprograrn office requirements and plans that\n       was started in early June. This information will be used in conjunction with\n       the agency Strategic Plan and the FY200112002 Performance Plan to identify\n       priority targets for application of information resources.\n\n(2)    OIS will finalize elements of the Plan relating to management ofIT staff\n       resources and internal processes, including process performance measures.\n       Where applicable, these measures will be validated with agency staff\n       representatives (e.g., via the Technical Review Committee ofthe IRM/Sc.)\n       01S will also prepare a summary of the Information Security Plan for\n       incorporation in the Strategic Plan.\n\n(3)    OIS will consult with the Chairman of the IRMISC and the Chairman of the\n       Budget Committee as the agency\'s likely FY2001 resource situation becomes\n       clear to adjust the plan\'s near-term objectives.\n\n(4)    OIS will coordinate with the Chairman of the Strategic Planning Committee to\n       make sure the IRM Strategic Plan reflects the revised USITC Strategic Plan and\n       the final updated USITC Performance Plan for FY2001/2002.\n\n(5)    OIS and the Chairman of the IRMISC will arrange for IRMISC review and\n       approval (taking into account their input.)\n\nThe target for an approved IRM Strategic Plan is October 31,2000.\n\n5.     CIO to assess JRM skills annually and report on progress to the Chairman.\n       (Director, OIS to perform this function pending appointment ofCIO.)\n\nRecommended response: Agree\n\nPlan for implementation:\n\nThe CIO 2 will annually assess information-technology and information resources\nmanagement skills required for execution of the IRM Strategic Plan, determine gaps\nbetween those requirements and existing staff skills, and recommend strategies for\nclosing the gaps. The strategies will be summarized in the IRM Strategic Plan.\nSpecific recommendations for staffing and for funding for training of information-\nresources staff, as well as funding to secure special expertise not available on staff,\nwill be incorporated into the annual budget process. The CIO will make other\nresources-related recommendations to the Chairman as necessary.\n\nThe target for implementing this procedure in future years will be October I\n(coincident with the target fortbe IRM Strategic Plan.) The FY2001/2002 budget\nrecommendations of the Director ofOIS includes current recommendations on staffing\nand funding for training and external sourcing of specialized expertise; the\nFY2001/2005 IRM Strategic Plan (targeted for November 1,2000) will include a\ndiscussion of human resource requirements.\n\n\n        \'The Director, OIS, pending appointment ofa ClO.\n\n                                           3\n\x0cIn addition, the CIa will develop and maintain a program of training and information\nfor non-technical staff involved in managing information resources. The target\naudience for this program includes the members of the IRM Steering Committee and\nthe Budget Committee, as well as representatives from Commissioners\' offices who\nmay have responsibility for assessing technology-related proposals. The CIO will\nwork with the ERB to integrate this program into the ERB\'s other executive\ndevelopment plans.\n\nThe target for development of the program is April, 2001.\n\n\n6.     Director, OIS, should revise the information security plan. (CIO to review\n       and update plan annually following appointment]\n\nRecommended response: Agree\n\nPlan for implementation:\n\nThe Commission has an excellent information security record, with no known\nsignificant breeches in the past 5 years, virtual immunity from the various viruses and\nother cyber-security threats that have grabbed headlines recently, and high marks from\n2 separate outside reviews of our systems for protection from Internet threats. All this\nhas been delivered at minimal cost, with key staff assigned on an "additional-duties"\nbasis, thanks in great measure to a cooperative and security-aware Commission\ncommunity.\n\nResponding to former Chairman Bragg\'s push to update, simplify and reduce the\nnumber ofUSITC Directives, OIS initiated an ambitious consolidation of information\nsecurity-related Directives last year, and has just submitted a proposed Information\nSecurity Directive to the first stage of the Directives Review process. The draft\ndirective will replace 5 current directives. It was designed to combine guidance from\nvarious Federal sources, and cover both paper and electronic information, to give staff\na single, more comprehensible reference. To make the new guidance as "user-\nfriendly" as possible, program office have been involved throughout the drafting\nprocess.\n\nIn addition to the policy and guidance in the security Directive, we are required by\nOMB Circular A-130 to document the security controls for each of the agency\'s major\ncomputer systems, including the general network we all use ("ITCNet") and each\n"major application system" We have plans in place for ITCNet and for EDIS, which\nwas determined to be the only system qualifying as a "major application system"\nunder OMB\'s standards. We have recently added specific "rules of the system" for\nprivileged system users (i.e., administrators) to the ITeNet plan, as recommended by\nthe IG\'s draft report.\n\nThe remaining steps to complete the agency\'s information security planning are:\n\n(I)    Make minor changes to the draft Information Security Directive to clarify the\n       relationship between the Directive and the computer system security plans, and\n       respond to other issues that may be raised during the directives review process;\n\n                                           4\n\x0c(2)    Secure Commission approval of the new Directive. The first "informal" round\n       of comments are due on July 24. We estimate final approval is likely during\n       October.\n\n(3)    OIS will work with the manager responsible for the EOIS system (the\n       Secretary) to add "rules of the system" for privileged users, to respond to the\n       IG\'s specific recommendation;\n\n(4)    Combine the ITCNet and EOIS plans into a single document to clarify how\n       they are related and explain how these plans relate to security policy as defined\n       in the Information Security Directive. (Note: this will not be a public\n       document since the plans contain information on the nature of our security\n       controls that might be useful to persons intending to compromise them.)\n\nWe estimate this can be completed by October 31,2000.\n\n\nCHAlRMAN ACTION:\n\n\nApprove: _----\'                _                Disapprove:                              _\n\n\n\n\n~6L-?~\nChairman, Stephen K     an                            Date:\n\n\nThe Commission\nDirector of Operations\nDirector of Administration\n\n\n\n\n                                           5\n\x0c\x0c'